From cec16b472e5af2de0b849395ba23e9a2e31c64ee Mon Sep 17 00:00:00 2001 From: Will Zakielarz Date: Thu, 9 Apr 2026 21:01:25 -0400 Subject: [PATCH] Google on prod --- .env.production.example | 5 +++++ .github/workflows/ci.yml | 3 ++- api/Dockerfile | 3 +++ infra/DEPLOY_CI.md | 1 + 4 files changed, 11 insertions(+), 1 deletion(-) diff --git a/.env.production.example b/.env.production.example index 8a01881..031ef54 100644 --- a/.env.production.example +++ b/.env.production.example @@ -20,3 +20,8 @@ SQS_QUEUE_URL=https://sqs.us-east-1.amazonaws.com/123456789012/cardboardforge-pr JWT_SECRET=use-a-long-random-string-matching-prod-if-needed PORT=3001 + +# Not read by ECS at runtime. Use when building the API image locally so the SPA includes Google sign-in: +# docker build -f api/Dockerfile --build-arg VITE_GOOGLE_CLIENT_ID=your-id.apps.googleusercontent.com . +# CI uses the repository secret `VITE_GOOGLE_CLIENT_ID` for deploy builds (see infra/DEPLOY_CI.md). +# VITE_GOOGLE_CLIENT_ID= diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2661428..583858b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -156,7 +156,8 @@ jobs: ECR_API: ${{ secrets.ECR_API_REPOSITORY_URL }} run: | IMG="${ECR_API}:${{ github.sha }}" - docker build -f api/Dockerfile -t "$IMG" -t "$ECR_API:latest" . + docker build -f api/Dockerfile -t "$IMG" -t "$ECR_API:latest" \ + --build-arg "VITE_GOOGLE_CLIENT_ID=${{ secrets.VITE_GOOGLE_CLIENT_ID }}" . docker run --rm -w /app/api "$IMG" \ node --input-type=module -e "await import('cors'); console.log('cors ok');" docker push "$IMG" diff --git a/api/Dockerfile b/api/Dockerfile index 2dbf5ad..c79444e 100644 --- a/api/Dockerfile +++ b/api/Dockerfile @@ -14,6 +14,9 @@ WORKDIR /app/api ENV DATABASE_URL="postgresql://placeholder:placeholder@localhost:5432/placeholder" RUN pnpm exec prisma generate && pnpm run build WORKDIR /app +# Baked into the SPA at build time (OAuth 2.0 Web client ID from Google Cloud Console). +ARG VITE_GOOGLE_CLIENT_ID= +ENV VITE_GOOGLE_CLIENT_ID=$VITE_GOOGLE_CLIENT_ID RUN pnpm --filter frontend build FROM node:20-alpine AS production diff --git a/infra/DEPLOY_CI.md b/infra/DEPLOY_CI.md index cd3ec45..35fa202 100644 --- a/infra/DEPLOY_CI.md +++ b/infra/DEPLOY_CI.md @@ -32,6 +32,7 @@ Create these in **Settings → Secrets and variables → Actions** (repository s | `ECS_CLUSTER_NAME` | `terraform output -raw ecs_cluster_name` | | `ECS_API_SERVICE_NAME` | `terraform output -raw ecs_api_service_name` | | `ECS_WORKER_SERVICE_NAME` | `terraform output -raw ecs_worker_service_name` | +| `VITE_GOOGLE_CLIENT_ID` | OAuth 2.0 **Web** client ID from [Google Cloud Console](https://console.cloud.google.com/apis/credentials) (same value as local `frontend/.env.local`). Baked into the SPA when the API image is built. Add your production site URL under **Authorized JavaScript origins**. | Use a dedicated IAM user with least privilege: ECR push to both repos, `ecs:UpdateService` / `DescribeServices` on the cluster services.